We have just released June's security awareness module about managing information security incidents a few days early to give customers the option to run the materials from June 1st, if they wish. Information security incidents are security incidents affecting the ccnfidentiality, integrity and/or availability of information assets - IT systems, IT services, data and other forms of information. Despite our best endeavors, it is inevitable that information security incidents will occur from time to time even if we have implemented the very best preventive security controls money can buy. Paradoxically, highly secure organizations are arguably in greater need of professional incident management processes than those with weaker security controls since they have fewer incidents to ‘practice’ on, and those that occur tend to be both unanticipated and serious. The new awareness module describes the processes necessary to investigate, resolve and learn from all sorts of information secu...

Just in case anyone really did just fall out of the trees, be aware that the following email is most definitely a SCAM to capture login credentials for email systems: Your mailbox has exceeded the storage limit which is 20GB as set by your administrator, you are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox. To re-validate your mailbox please; Fill the below details: First Name: Last Name: Email Address: Username: Password: Confirm Password: Mail to: ... The scammer's dubious English possibly indicates he's either a non-native English speaker, or recently fell from the trees, possibly both.

A blogger's list of five well-known identity theft cases reminds me about them but also identifies something I hadn't heard of: One of the bigger types of theft as you can see is utilities fraud (18% of all ID thefts). That is one that most people may not even think about. Essentially, this results from people using a child’s clean credit to get their power, water, gas, cable, or phone services turned back on. They are desperate for these services and will go to any lengths sometimes to make sure they get them (including ID theft). Googling some key phrases from that blog brought me to another site that published a bunch of statistics on identity theft, mostly prior to 2009. Their identity theft risk self-assessment form is a simplistic but quick way to find out how at-risk you are.

Organizations used as phishing lures, or whose websites have been hacked to become phishing sites, have been redirecting potential phishing victims to an educational page on the APWG (Anti Phishing Working Group) website, in the hope that some of them will realize the error of their ways and may perhaps be a little more cautious in future. Mind you, a fake online banking balance page showing their bank accounts well into the red might be a more effective wake-up call for some ...

The Chelan County Public Utility Department has been fined $13,000 for three alleged violations of the NERC information security standards, but reading the news story at Wenatchee World reveals that one of those three was 'failure to use the specific words “security awareness” in documents showing that certain personnel have received ongoing training in “sound security practices.”' Failure to use the specific words "security awareness"?!?! If that's the truth of it, I might agree with PUD officials' claim that this amounts to a "difference of opinion with auditors over how to interpret federal standards". However, I wonder whether the true nature of the alleged non-compliance was perhaps a little more serious - like perhaps the PUD came up with some internal memos or whatever, claiming that they substantiated their security awareness program whereas in fact they were not really intended or used for that specific purpose. I'm only guessing he...

Hearing about someone who allegedly falsified background details to get into Harvard reminds us to check resumes or CVs of those who apply for powerful, trusted positions.

I've been pondering information security metrics for some years now, primarily from the angle of figuring out what might be the "few good metrics" actually worth measuring whilst avoiding pitfalls such as reporting stuff that is simply easy to count or measure. I can't say I've truly bottomed-out that line of thought but I'm moving on to consider the issues around reporting metrics, particularly the concept of "visualization". I've been prompted to look into this by a visually appealing representation of the number of US men anticipated to die this year as a result of various causes. The graphic stimulates viewers to explore the numbers, comparing and contrasting figures ... but that's about it. It's left entirely to the viewers to draw their own conclusions. Many will not bother. But does the eye-candy graphic achieve its purpose better than simple lists or tables of mortality figures? Oh yes! It's stimulating instead of bo...

From Wired : Apparently, when you publish your Social Security number prominently on your website and billboards, people take it as an invitation to steal your identity. LifeLock CEO Todd Davis, whose number is displayed in the company's ubiquitous advertisements, has by now learned that lesson. He's been a victim of identity theft at least 13 times, according to the Phoenix New Times. Remember kids, don't play with fire and don't run with scissors.

An Orange County real estate broker has been found guilty of using stolen identities to buy 35 properties and intentionally defaulting on the loans to steal more than $17 million. A Superior Court jury found Kathy Chen guilty Tuesday of 136 felony counts, including conspiracy, grand theft, forgery and identity theft. Chen faces 111 years in prison when she is sentenced in July. News cutting from Mercury News

The Miami Herald reports that when police stopped a vehicle with (presumably) false plates, they (allegedly) found the occupants in possession of numerous stolen electronic benefits transfer cards in the names of prisoners. They had been using them to withdraw benefits payments/food stamps. It's not entirely clear from the article how the "names and personal information of inmates found on websites" were actually used to apply for the cards, but it certainly points to a failure of the corresponding identification and authentication controls. Makes a change from abusing the identities of the dead I suppose. All the best, Gary

In February, the US Federal Trade Commission, no less, sent letters to almost 100 organizations advising them that personal information had been "shared" on peer-to-peer file-sharing networks . This is not the first time P2P software has been blamed for disclosing sensitive information and other information security incidents, and I'm sure it won't be the last. I wonder what those 100 organizations did about it? Come to that, what about the millions of other organizations that missed out on their FTC notices, oh and not forgetting the millions of individual home users using LimeWire, BearShare, Kazaa and dozens of other peer-to-peer file sharing networks ? “It sounds preposterous, but sensitive information leaking out unintentionally like this is amazingly common,” says Eric Johnson, director of digital strategies at Dartmouth’s Tuck School of Business. “Look at the file sharing networks and you’ll find people exposing things all the time.” In fact, data leakage vi...

Hear roughly what technical IT security awareness content, presented by IT security people, sounds like to the average employee here . Finding the right people to write and deliver security awareness messages is not quite as easy as you might think.

A short news item about a woman who spotted a phishing letter ably demonstrates the value of security awareness. If she had not known to watch out for the warning signs, she may well have fallen for the scam.

From June 1st, more US organizations will have to comply with " red flag rules " which are nothing to do with Communism, semaphores or that man walking in front of a horseless carriage but were introduced by the Fair and Accurate Credit Transactions Act (FACTA) in 2003 in order to reduce America's identity theft epidemic. The red flags essentially involve financial institutions reporting suspicious activities and transactions to the authorities, in much the same way as money laundering laws and regulations. Banks are already required to comply but other US financial organizations have just a few short days to polish off their controls. The Baltimore Sun says: Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase. They're just following federal rules to protect consumers from identity t...

Computerworld tells us that someone has been trying to flog counterfeit Cisco-branded network equipment to the US Marines: U.S. agencies targeting the sale of counterfeit networking hardware have gotten 30 felony convictions, including a man attempting to sell fake networking equipment to the U.S. Marine Corps, and seized $143 million worth of fake Cisco hardware, the U.S. Department of Justice said on Thursday ... There was a 75 percent decrease in seizures of counterfeit network hardware at U.S. borders from 2008 to 2009, CBP said ... On Thursday, Ehab Ashoor, 49, a Saudi citizen residing in Sugarland, Texas, was sentenced in the U.S. District Court for the Southern District of Texas to just over four years in prison and ordered to pay $119,400 in restitution to Cisco Systems. On Jan. 22, a jury found Ashoor guilty of charges related to trafficking in counterfeit Cisco products, the DOJ said. It seems to me the counterfeiters have stolen Cisco's name, trademarks and brands, whic...

According to the American Forces Press Service : WASHINGTON, May 10, 2010 - U.S. Strategic Command officials are urging  renewed vigilance against Internet-based identity theft after detecting a widespread 'phishing' expedition against servicemembers. Phishing is a term used to describe deceiving people into divulging personal information such as passwords or account numbers over the Internet. Beginning as early as May 2009 and lasting as late as March 2010, numerous fraudulent e-mails were sent to financial customers of USAA and Navy Federal Credit Union, Stratcom officials said in a recent news release. The e-mails, which appear to originate from USAA and the credit union, ask the recipient to provide or verify personal information such as name and rank, account numbers, date of birth, mother's maiden name, address and phone numbers, online account user name and password, credit card numbers, personal identification numbers for automated tellers, and Social Security numbe...

... is it acceptable for Google not only to drive around the country collecting photographic information about its citizens, but also to sniff their WiFi router SSIDs ? Sure, broadcasting your SSID on a wireless network does put the information in the public domain, but at the same time it is limited to the local area, with a few hundred metres normally. Of course 'some kid with an iPod' could wander by and capture your SSID - so what? But of course most kids with iPods have better things to do than snoop on the entire population. And if the data collection has been done both serruptitiously and systematically by Google, alarm bells really should start ringing. Don't forget that Google also collects information about the searches people are making. It doesn't take a genius to see the potential for them mining their database for all sorts of juicy derived information about individuals. And in the US (where Google comes from), the very concept of personal privacy is...

There has been a rash of complaints about Facebook's privacy policies and practices over the past few days, creating enough of a stir to draw in even the mighty BBC as well as the mainstream press . The crux of the matter is that Facebook, like other social networking sites, encourages people to post personal information about themselves and their friends, contacts, relatives and acquaintances: establishing links to other people is the 'networking' part of social networking. Short of some form of virtual diode, those links are bidirectional, in other words if you link to me, then someone can probably retrace that link from me back to you. Publishing personal links and other personal information in any online forum is not considered A Good Idea from the privacy and identity theft perspective. This includes publishing personal information about other people, not just yourself. Therefore, we are all at risk from inappropriate publication of our personal details by our nai...

Unusual story in PC World about the unanticipated consequences of sending a fabricated phishing story to employees as an awareness-raising exercise: Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well. The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information. This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world. As with penetration testi...

ENISA published this paper (plus corrections to some of the reported annual loss figures) last September, describing the many ways that crime is being committed using ATM (Automatic Teller Machines - hole-in-the-wall cash machines to you and me). Techniques for stealing credentials range from hi-tech approaches using card skimmers and false-front ATMs (even completely bogus ATMs have been used) to lo-tech shoulder surfing and distraction robbery. If nothing else, print off their "golden rules to reduce ATM crime" (pages 24 & 25 of the report) and speak to your friends and family members about the simple recommendations to reduce your personal risks. I've just looked up my bank's emergency/lost-or-stolen card numbers and popped them into my mobile phone, for instance. Brian Krebs recently blogged about ATM skimmers. I find various readers' comments on Brian's blog somewhat perplexing: some claim that chip-n-PIN is "too expensive" for the U...

A group of sophisticated identity thieves managed to steal more than $4 million by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased, according to a 74-count indictment unsealed in Arizona Thursday.

This may be a few years old but there's a pretty good chance scams like this are still working nicely. The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest. You say you never received a notice. To clear it up, the caller says he'll need some information for "verification purposes"-your birth date, social security number, maybe even a credit card number. This is when you should hang up the phone. It's a scam. The FBI advisory on this recommends "Never give out personal information when you receive an unsolicited phone call". I have occasionally received unsolicited calls from my bank. After the briefest of introductions, they normally ask me for my credentials in order to continue discussing whatever it is. It still perplexes me that they get all shirty with me when I insist on being given their credentials first - after all, ...

Fraud Aid, Inc. is a California Public Benefit Corporation and 501(c)(3) nonprofit organization founded to provide free support and guidance to fraud victims and their families worldwide; to provide fraud awareness, prevention and recognition education in a manner easily understood by all; and to support law enforcement at all levels in their effort to deter fraud and bring its perpetrators to justice. Their website may be a bit of an explosion in a bit factory but there's certainly no shortage of advice for those who find themselves victims of identity theft or drawn in to myriad other scams.

A 35-page ENISA document on Mobile Identity Management covers a lot of ground, starting from some 'use cases' describing typical situations in which, for example, a person's identity needs to be authenticated while they are on the move. The well-written and referenced paper goes on to describe the risks such as identity theft and eavesdropping, and then approaches for aspects such as federated identity management: Identity federation can be defined as the set of agreements, standards and technologies that enable a group of service providers to recognise user identifiers and entitlements from other service providers within a federated domain. These agreements include policy and technology standards, resulting in a single virtual identity domain. Federation refers to mechanisms for cross-domain authorization, while provisioning refers to the provisioning of users from authoritative systems to subsidiary systems. In addition to federation, provisioning may be necessary in the...

Stealing personal financial information is evidently not so hard if one has the usernames and passwords used to access commercial accounts at the credit checking bureaux . Said bureaux claim to have sharepened up their act after tens of thousands of credit records had been stolen and presumably exploited for identity theft using a former employee's credentials. It appears there is a conflict between the need to make the credit checking process as easy and quick as possible (for example when someone in a retail store requests credit to buy a car, furniture or expensive electronics) while at the same time protecting the identities of the individuals being checked.

A short interview with an identity thief makes some interesting points. It explains the way this gang obtained false credentials, duped retail stores into selling them goods and then fenced the goods to generate cash. The fraudster being interviewed is described as an innocuous looking old man: Upon initially meeting Grandpa, my "police radar" failed to go off because by all physical accounts, Grandpa appeared to be unassuming and anything but your stereotypical criminal. Having dealt with criminals of all shapes and sizes and knowing better than to discriminate in such a fashion, a 5'10" lanky and elderly bald white male, dressed in a white t-shirt, sweatpants, and sandals, just translated to me as an elderly harmless man. This kind of brazen fraud naturally relies upon fooling even fairly alert checkout staff, and in large stores with multiple checkouts, the fraudster often has the choice of who to dupe.